The full name for the organization responsible for two popular security certifications—the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP)—is the International Information Systems Security Certification Consortium, Inc. (IISSCC). Everybody takes the easy way out and calls this group (ISC)2 (pronounced "ISC-squared")—even the organization itself, although the preferred representation takes the form (ISC)2.
The (ISC)2 includes representatives from numerous security companies, academic institutions, government agencies, and professional associations. Working groups composed of members created and maintain the requirements for two vendor-neutral security certifications, as follows:
- Certified Information Systems Security Professional (CISSP). The (ISC)2's senior-level security certification, the CISSP, identifies individuals who can effectively design and develop information security policies, standards, and related practices and procedures. This certification also recognizes those who can additionally manage and maintain security policies and standards as well as operational security matters across an entire organization. (ISC)2 offers three CISSP concentrations: Information System Security Architecture Professional (ISSAP), Information System Security Management Professional(ISSMP), and Information System Security Engineering Professional(ISSEP). Because the CISSP certification has been around since 1992, it's the oldest such certification that we know about. It also boasts a certified population of about 15,000.
- Systems Security Certified Practitioner (SSCP). The other (ISC)2 security certification is more entry-level. It identifies network and systems administrators who can implement and manage the policies, standards, practices, and procedures that CISSPs create and manage, on whatever hardware and software is involved. Thus, the SSCP complements the CISSP as an operations certification.
NOTE(ISC)2 offers a program called the Associate of (ISC)2, which recognizes candidates who have passed the SSCP or CISSP exam and are in the process of gaining the required experience to become SSCP or CISSP certified. The Associate of (ISC)2 is not a certification but rather a stepping stone on the way to the SSCP or CISSP. According to the (ISC)2 Web site, Associate candidates benefit from obtaining "career-related support" through (ISC)2 early on in their professions.
The best source of information for these (ISC)2 certifications is in their respective study guides. To download study guides, visit http://www.isc2.org/cgi-bin/request_studyguide.cgi.
About the CISSP Program
Becoming a CISSP requires that you pass one exam, but it's a challenge: This exam consists of 250 multiple-choice questions pulled from 10 different security-related knowledge domains. That's why candidates are given up to six hours to complete this exam. In fact, the CISSP is a senior-level certification intended to identify individuals who are fully qualified to work as security professionals full-time. In practice, working full-time in security means filling one of two kinds of jobs:
- A full-time job as a security professional inside a corporation or organization big enough need its own in-house security staff full-time.
- A full- or part-time job as a security consultant, either freelance or within a consulting organization, in which a full-time security professional handles as many accounts as are necessary to generate the right level of billing. Thus, such a job could fall in any kind of organization, from a small, focused security professional practice to a large, multinational consulting firm that offers security consulting among its other professional services.
For serious, advanced security professionals, the knowledge domains associated with the CISSP cover a lot of ground, but the exam sticks closely to subjects and technologies intimately related to security matters. The 10 knowledge domains relevant to the CISSP include the following:
- Access Control Systems and Methodology. This involves planning, design, use, maintenance, and auditing of user and group accounts; access controls; rights and permissions; and various authentication mechanisms.
- Application and Systems Development. This area involves understanding how security relates to application development and data management, including technologies and threats such as worms, viruses, Trojan horses, active content, and more. It also encompasses working with databases and data warehouses, managing and controlling data stores, working with systems development and security control systems and architectures, managing system integrity levels, recognizing and dealing with malicious code, and understanding common system and network attacks.
- Business Continuity and Disaster Recovery Planning. This includes mastering common practices, data requirements, and arrangements necessary to maintain business continuity in the face of disruptions. It also involves planning, preparation, testing, and maintenance of specific actions to prevent critical business processes and activities from being adversely affected by failures and interruptions.
- Operations Security. In this area, topics include planning, design, implementation, and management of system and network security, including basics of administrative management. Also included are important concepts in security operations such as antivirus management, backups, and need-to-know regimes; kinds and methods for applying operational security controls; access control requirements; auditing needs, methods, and reports; monitoring types, tools, and techniques; and intrusion detection and penetration testing needs, methods, and tools.
- Cryptography. Candidates must understand basic cryptography and how it applies to confidentiality, integrity, authentication, and nonrepudiation. In addition, key areas include cryptographic concepts, methods, and practices, including digital signatures; encryption/decryption and related algorithms; key distribution, escrow, and recovery; error detection/correction; hashes, digests, and ciphers; public and private key algorithms; public key infrastructure (PKI); architectures for implementing cryptography; and well-known cryptographic attacks and countermeasures.
- Law, Investigation, and Ethics. This requires a basic understanding of laws and regulations on licensing, intellectual property, imports/exports, liability, and data flows across borders relevant to system or network security or business operations. This includes knowledge of computer crime laws and regulations, investigative procedures, evidence gathering, incident handling, and ethical and conduct issues.
- Physical Security. This involves understanding facilities requirements, controls, and environmental and safety issues as well as understanding physical security threats and elements of physical security such as threat prevention, detection, and suppression; fire, water, and toxic material threats; and alarms and responses.
- Security Architecture and Models. This includes basic principles of computer and network architecture; common security model architectures and evaluation criteria; and common security flaws and issues linked to specific architectures and designs.
- Security Management Practices. Basic concepts and principles include privacy, confidentiality, availability, authorization, identification and authentication, and accountability. Also included are change control and management, data classification schemes (government and private), employment policies and practices, and ways to work with procedural security for formulating policies, guidelines, and procedures.
- Telecommunications, Network, and Internet Security. This area includes the ISO/OSI Network Reference Model; communications and network security through topology, protocols, services, APIs, and remote access; Internet/intranet/extranet equipment and issues such as firewalls, routers, switches, proxies, and gateways; TCP/IP and related protocols and services; and connection services. Also included is a broad range of communications security techniques such as tunneling, VPNs, NAT, and error detection and correction methods; security practices for email, fax, and voice services; and common network attacks and associated countermeasures.
CISSP candidates must agree to abide by the CISSP code of ethics, submit an Endorsement Form signed by a CISSP, and, if selected, pass a background and experience audit. Candidates must have four or more years of experience in at least one of the 10 knowledge domains (or three years’ direct experience along with a college degree or the equivalent life experience).
By virtue of its length and its broad coverage, the CISSP exam is regarded as something of an ordeal. That's why we urge you to obtain and review the CISSP Study Guide mentioned earlier in this article, especially the reference materials cited therein. You might be interested to learn that the (ISC)2 calls the objectives based on its 10 CISSP information domains the Common Body of Knowledge (CBK). That's why you might want to take an authorized CBK Review Seminar to help prepare for this exam.
CISSPs can choose a concentration much like a college student chooses a "major" in a college degree program. Currently, (ISC)2 offers three concentrations: ISSAP (Architecture), ISSMP (Management), and ISSEP (Engineering). The ISSAP and ISSMP exams consist of 125 items; the ISSEP exam consists of 150 items. Candidates have up to 3 hours to complete each concentration exam. Visit https://www.isc2.org/cgi-bin/content.cgi?category=84#cat06 for details about the ISSAP, ISSMP, and ISSEP concentrations.
A CISSP certification lasts 3 years; to recertify, you must either take 120 hours of continuing education during the interim or retake the exam; see isc2.org/cgi-bin/content.cgi?page=43 or isc2.org/cgi-bin/content.cgi?category=24 for more information.
About the SSCP Program
Obtaining an SSCP also means passing one exam. The number of questions is half that for the CISSP: 125 questions, with up to 3 hours to complete it. The SSCP is an entry-level security certification that identifies individuals who can integrate day-to-day security activities into full-time jobs as system or network administrators. Although the descriptions for all seven of the knowledge domains for the SSCP match those for the CISSP, an SSCP candidate's knowledge need not be as deep or intimate as a CISSP candidate's.
The seven information domains for the SSCP are as follows:
- Access Control. This involves using, applying, monitoring, and maintaining access controls to determine what users can do, which resources they may use, and the operations that they can perform on a system. This includes familiarity with access controls such as biometrics, hardware tokens/smart cards, and passwords, with an understanding of the levels of confidentiality, integrity, and availability that each type allows.
- Administration. This means identifying information assets and documenting security policies, standards, practices, and procedures necessary to protect them. This includes privacy issues; data integrity; security audits; organizational roles and responsibilities; security policies, practices, procedures, and guidelines; and security education, awareness, and ongoing security maintenance.
- Audit and Monitoring. Included here are the topics of monitoring system activities and events, plus auditing use and assignment of access controls and related system objects or resources. This area also covers data collection, including logging, sampling, and reporting; audit review and compliance checking; and legal issues related to monitoring and auditing.
- Cryptography. Cryptography provides mechanisms to alter data to maintain its integrity, confidentiality, and authenticity. Topics included are basic cryptography terms and concepts; definitions, applications, and uses for public and private key technologies; and the use of digital signatures.
- Data Communications. This area covers network structures, transmission methods, transport formats, and protocol- and service-level measures used to maintain data integrity, availability, authentication, and confidentiality. This includes issues related to communications and network security for local and wide area networks; remote access; roles that networking devices—such as routers, switches, firewalls, proxies, and so on—play on the Internet, extranets, and intranets; security aspects of TCP/IP protocols and services; and techniques for detecting and preventing network attacks.
- Malicious Code/Malware. Malicious code means any software-based security threat that can compromise access to, operation of, or contents of systems or networks, including viruses, worms, Trojan horses, active content, and other threats. Candidates should understand mobile and malicious code, be able to identify related threats, explain how such code enter networks, and describe and apply appropriate protection, repairs, and recovery methods.
- Risk, Response, and Recovery. Risk management means identifying, measuring, and controlling losses associated with business interruptions and disruptions, or system and network compromises or failures. This includes security reviews, risk analyses, evaluation and choice of safeguards, cost benefit analyses, management decisions, plus implementing safeguards and efficacy reviews.
The SSCP exam is relatively easy, when compared to the CISSP exam, but it's no pushover. That why we urge you to obtain and review the online SSCP Study Guide—especially the reference materials—cited earlier in this article. Although the course covers all 10 CBK domains (and the SSCP covers only 7 of those 10), you might want to investigate an authorized CBK Review Seminar to help you prepare for this exam.
Like the CISSP, the SSCP certification lasts for three years. You can recertify by taking 60 hours of continuing education during the interim or by retaking the CISSP exam; see http://www.isc2.org/cgi-bin/content.cgi?page=46 for more information.